CVE-2024-27622 is a remote code execution (RCE) vulnerability identified in the User Defined Tags module of CMS Made Simple, specifically affecting versions 2.2.19 and 2.2.21. The root cause is inadequate sanitization of user-supplied input within the 'Code' section of this module. This flaw allows authenticated users with administrative privileges to inject arbitrary PHP code, which the system subsequently executes. The vulnerability is categorized under CWE-75 (Improper Neutralization of Special Elements used in a Path) and CWE-94 (Improper Control of Generation of Code). The CVSS v3.1 base score is 7.2, reflecting a high severity due to network attack vector (AV:N), low attack complexity (AC:L), required privileges (PR:H), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Since exploitation requires admin-level authentication, the attack surface is limited to trusted users or compromised credentials. However, successful exploitation leads to full system compromise, allowing attackers to execute arbitrary PHP code, potentially leading to data theft, defacement, or further network pivoting. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly.

The vulnerability poses a significant risk to organizations running CMS Made Simple versions 2.2.19 and 2.2.21, especially those with multiple administrators or weak credential management. An attacker exploiting this flaw can execute arbitrary PHP code remotely, leading to complete system compromise. This includes unauthorized access to sensitive data, modification or destruction of website content, installation of backdoors or malware, and lateral movement within the network. The impact extends to confidentiality, integrity, and availability of the affected web servers and potentially connected systems. Given the administrative privileges required, insider threats or credential theft scenarios are particularly concerning. Organizations relying on this CMS for public-facing websites or internal portals may face reputational damage, regulatory penalties, and operational disruption if exploited.

Organizations should immediately verify if they are running CMS Made Simple versions 2.2.19 or 2.2.21 with the User Defined Tags module enabled. Since no official patch links are currently available, administrators should consider the following mitigations: 1) Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication. 2) Audit and monitor administrative accounts for suspicious activity or unauthorized access attempts. 3) Temporarily disable or remove the User Defined Tags module if feasible until a patch is released. 4) Implement web application firewalls (WAF) with custom rules to detect and block suspicious PHP code injection attempts targeting the module. 5) Conduct regular code reviews and input validation improvements on custom modules or extensions. 6) Maintain up-to-date backups and have an incident response plan ready in case of compromise. 7) Monitor official CMS Made Simple channels for forthcoming patches or security advisories and apply updates promptly once available.